Coupang insider data breach (2025)
A former Coupang employee accessed personal data on 33.7 million customer accounts of South Korea's largest e-commerce platform. Coupang announced a $1.17 billion compensation plan; its head of Korean e-commerce resigned.
- Victim
- Coupang
- Loss
- $1.17B
- records
- 33.7M
- users
- 33.7M
In November 2025, Coupang β South Korea's largest online retailer, often described as the country's Amazon β disclosed that a former employee had accessed personal data on 33.7 million customer accounts, in what became one of the defining data-governance incidents in South Korean history.
What happened
Unauthorized access began on 24 June 2025, when credentials belonging to a former Coupang employee β a former Chinese national employee now residing abroad β were used to query Coupang's customer database from overseas servers. The activity went undetected for over four months.
Coupang detected unusual access on 6 November 2025 and traced the intrusion's last day to 8 November. After internal scoping was complete on 18 November, the company publicly disclosed the breach on 29 November 2025.
Exposed data included names, phone numbers, email addresses, delivery addresses, and order histories. Payment cards, banking data, and login credentials were not in the affected dataset.
Impact
- 33.7 million customer accounts exposed β well over half of South Korea's population.
- Coupang announced a 1.69 trillion won (~$1.17 billion USD) compensation plan: every affected customer receives a one-time, platform-only voucher worth about 50,000 won.
- Park Dae-jun, head of Coupang's Korean e-commerce operations, resigned in mid-December 2025.
- The incident became a focal point in South Korea's debate over data-governance reform and accelerated calls for stricter controls on insider access at platform companies.
Why it matters
Coupang did not fall to a zero-day or a state-backed APT β it fell to a credential that should have been revoked when its owner left the company. The four-month dwell time between unauthorized access and detection put under-investment in insider-threat monitoring at the centre of the discussion. The scale of the compensation programme β over a billion dollars in store-only vouchers β is also one of the largest private-sector breach restitution efforts on record.
Timeline
Unauthorized access to customer data begins via overseas servers, using credentials of a former employee.
Coupang detects unusual access at 18:38 KST.
Last day of unauthorized access.
Full scope of the breach identified internally.
Coupang publicly discloses the breach: 33.7 million customer accounts affected.
Park Dae-jun, head of Coupang's South Korean e-commerce operations, resigns amid public pressure.
Compensation plan begins: each affected customer is issued a one-time platform voucher worth ~50,000 won (~$34.84); total programme value 1.69 trillion won (~$1.17 billion).
Sources
- incyber.orghttps://incyber.org/en/article/south-korea-data-breach-exposes-33-7-million-coupang-accounts/
- securityaffairs.comhttps://securityaffairs.com/186331/security/coupang-announces-1-17b-compensation-plan-for-33-7m-data-breach-victims.html
- securityweek.comhttps://www.securityweek.com/coupang-to-issue-1-17-billion-in-vouchers-over-data-breach/
- thediplomat.comhttps://thediplomat.com/2026/03/coupangs-data-breach-and-the-urgency-of-data-governance-reform-in-south-korea/